How to manage O365 Group membership through AD Security Groups and/or nested O365 Groups?

Steel Contributor

I have two issues concerning management of membership in Groups:

1. In the Outlook Widget, I see that I can add another O365 Group as a member in an O365 Group. But what does it mean? It seems like I am then adding the individual members from the other groups as members, not the Group as such? Or is the meaning of this that I should be able to manage individuals for instance in a "mother" group, and then add the group itself to another group as a nested group? Why don´t I then see the group in the membership list?

2. Security Groups and mail-enabled security groups seems to be a better way to manage a company or department team on a regular basis. But it does not seem that I am able to add an AD Security Group as a member in an Office 365 Group. Am I missing something, and/or is this on the roadmap?

41 Replies
1. Nested Groups are not supported in Groups so what you are seeing is correct: when adding a Group, you are adding the Group members and no the group itself
2. AFAIK, you cannot add security to Groups to an Office 365 Group

I would love to see this feature added.

 

Or maybe as a compromise, as part of the Dynamic list membership, add some kind of rule to say "if you are a member of this other group..."

Thanks for your comment @Juan Carlos González Martín! Even if I do´nt like the answer:). If this is the case, I will then have no easy way to manage a membership list, based on a company, department or interest level, and thereafter add them as a group to an O365 group. Dynamic membership will for many not be a good solution as it will require an AD (and HR system) with almost 100% quality, will be out of reach for a lot of companies, because of the price tag put on Azure AD Premium and nor will cover all use cases. To me, nested O365 groups and / or the possibility to add security groups to O365 groups should be the way going forward. Can anyone from Microsoft help to illuminate this issue, for instance @Dan Holme?

1- what do you mean by "Outlook widget"? Once you add a DL to an Office 365 Group it will automatically expand all the members and add each individually (there is no tie to the DL).

2- For organizational group, Azure AD dynamic membership will help and understood that there is a cost associated with it.

Thanks for reaching out, Christophe!

1- Maybe not the correct wording, but with widget I just mean the form you use when you are creating / provisioning an O365 group. As you are describing it, the advantage you can gain by adding a DL group (w members) or an O365 group (w members) to another O365 group, is just a one time advantage. While my hope is that a relation between groups could be nested.

2- Today I can add an AD Security Group to a Sharepoint teamsite, through the Share-function in Sharepoint. Therefore I don´t understand why I can´t add an AD Security Group to a CONNECTED teamsite, without having to pay a premium?

Hi all

ist there somethin new regarding using AD groups as members of Office 365 groups? It is really function which I can appreciate.  I was able to add security group to office grooup at azure portal - or to be more correct it looked like it worked (confirmation message informed me that group was successfully added) but unfortunatelly when I checked group membership, there was no change :(.

Thank you for info.

Michal

We haven't delivered anything, so nothing new. Office 365 Groups are not tied to security groups

is there a plan to add this feature? 

it is a deal braker for us, so i will really like to see it. 

this is something we are investigating and hence do not have any further details nor timeline to share at this stage, FYI @Mike McLean (OFFICE)

I noticed today that it is possible to add an Office 365 group into a SharePoint group - but would that expand the group members at that time?

 

If so, that would mean that if a new user was added to the 365 group later, they would not get permissions in SharePoint.

 

Is my understanding correct?

Just to add - I've done some testing, and what I've seen is this:

Create 365 group - add a single user 'Rob'.

Add that 365 group to the 'Members' group of a different SharePoint site.

Check permissions for 'Rob' on that SharePoint site - shows as having permissions via 'Members' group.

Add user 'Mandy' to same 365 group

Check permissions for 'Mandy' on the SharePoint site - shows as having permissions via 'Members' group

Remove 'Mandy' from 365 group

Check permissions for 'Mandy' on the SharePoint site - shows as having no permissions.

Therefore, use of 365 Groups to control access to SharePoint sites works as expected, and it respects group membership changes.
AFAIK, adding Groups to SPO sites has been there for a while
Ya, the issues with it I've seen are in regards to indexing and searching content (previously didnt work for o365 groups). I **THINK** that has also recently been fixed so that it works, but check that out too.

Also check out audience targeting, cause that didnt work either, but I havent tested it again.

I wanted to add my voice to those requesting this feature.  Ideally we would have one group that is leveraged across these different contexts.  In particular our on-prem AD group that gets synced up as a Security Group.  I'd like to either "add" O365 Groups to that group (the way you can add Teams to an O365 Group in concept) or else be able to create an O365 Group and then add then add the security group to that.  I prefer the former, but the latter would work for me as well.

We really need security groups to define members of O365 groups.... reason is simple logic: I would assume everyone would agree that there are a smaller number of expected security groups in comparison to the expected number of Office 365 groups...especially if we are going to be making O365 groups for small tasks/projects with the same list of members over and over again. O365 groups without relying on pre-set groups of individuals (security groups) is simply unusable at scale. For example - if you have 50 O365 groups for 50 different little projects and you hire more team member that will access these projects...you are stuck editing 50 groups instead of tossing that new person into one security group. The only way this works is powershell scripting - but it looks like you are at least partially adding O365 groups to prevent scripting (auto-creation of resources.) Right now it seems like O365 groups are in Chaos Mode...

I've read some other posts about this issue and there seems to be a core misconseption from MS of how larger organizations utilize Security Groups (Yes, they still have a purpose).  If Microsoft's mindest is 365 groups being used in the cloud for a small organization, there is no reason for linking to security groups.  But larger organizations need security groups on prem, and as other posters have mentioned, there are likely to be many 365 groups with the same members.  Let's pretend we have a group called "accounts_payable".  The group has access to ERP system assets, File servers (yes, not all files moved to SP yet), BI systems and then a 365 group is created for their team.  Then a few other 365 groups are created for projects for that team.  Now we're managing users in multiple groups that all should have the same membership?  This type of mindset simply doesn't work at the enterprise level.  I keep seeing examples like this that make me wonder if 365 is designed for cloud only Small Businesses.

 

Does anyone have suggestions or examples on how they're managing and tracking their security + 365 groups?  A spreadsheet?  The thought makes me nauseous. 

Please provide nesting (andI do not mean "add members") of security groups as a member of Office 365 Groups as soon as possible, and especially these synced from an on-premises AD.

Without, Office 365 Groups as well as MS Teams are not production ready even in an SMB environment, not to speak of "enterprise ready".

Please don't misunderstand me, I like the idea of Office 365 Groups and MS Teams due to their simplicity, but we can't stand an administration overhead and permissions auditing nightmare caused by a 1970s group membership concept.

Thank you very much!

I would like to add my voice to the mix.  We need the ability to add an active directory domain security group as a member of an Office 365 group.  When we onboard new employees we copy the AD account of an existing user in the same role so the new employee automatically gets added to the same groups as his coworkers in that role.  We can't easily identify and add the new employee to all of the Office 365 groups that he may need to be a member of.  I would be fine with doing this using PowerShell (add the object ID of the security group to the Office 365 group or some such) if that's what would be needed.  By the way, we are a gold partner so if this is being discussed in a forum or in preview under NDA sign me up.

Has anyone tried adding an AD group into the Office Group site collection administrators?